@richgalloway  This is my props.conf : [<sourcetype>] CHARSET = UTF-8 SHOULD_LINEMERGE = false NO_BINARY_CHECK = true LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true INDEXED_EXTRACTIONS = csv KV_MODE = none category = Structured disabled = false pulldown_type = true TRANSFORMS-set = eliminate-null_data description=Comma-separated value format. Set header and other settings in "Delimited Settings" transforms.conf: [eliminate-null_data] REGEX=<my regex> DEST_KEY = queue FORMAT = nullQueue Note: the data flow can be stopped in order to send the desired data to null queue.  ... View more

@richgalloway Here I cannot use the regex because the field1 value and field2 values are same. for example,  field1 field2 abc abc xyz abc pqr abc qwe abc   I want to send the data where field1 = field2. can you please suggest? ... View more

richgalloway, I am able to send the empty records to null queue but I also want to send few more to null queue(as cited in the query above). I have ingested the data using UF itself.  ... View more

Hi @isoutamo  Which platform those UF's are? -- Windows platform Are you using DS for deploy those configs (probably not as you try to put those under system/local) -- No DS My guidelines is that never ever put anything under system/local if it works somewhere else -- This is just for testing purpose, but reverted the change from etc/system/local to etc/apps/TA/local Have you restart UF after adding those configurations or have you added those with CLI commands? ----Since it is Windows, have placed the TA manually by copy paste. Restarted Splunk services from Services Which user is running splunk -- We have a user called splunk  Have you check UF's splunkd.log to see if there are any errors related to this -- Till now no such errors, but can see INFO  ProxyConfig - Failed to initialize https_proxy from server.conf for splunkd. Are UF's internal log seen on splunk SH? -- Yes I can see the splunk internal logs on SH but not the logs on the specified index   ... View more